My career has been turbulent at times. I know that’s shocking to those of you who know me personally. When I was invited not to come to work at my last job in VA, I already had a good position at a hot start-up in Atlanta lined up. They were well aware of my situation, and once I was a free agent the deal got done quickly. I had one real estate agent selling a house in VA, and another looking for property in Atlanta. Full speed ahead.

Then I got the strangest call from my “new” CEO. He said they did a final reference check and a past boss pretty much drove a shiv into my gut. WTF? So now the sure thing in Atlanta wasn’t so sure. And even better, if this guy was talking me down in VA, my odds of getting another job if Atlanta fell through weren’t so good. So I went into damage control mode. I wasn’t going to go down like a lamb, so I came out swinging. I called in every favor I had. I created dissension at my former employer by having folks in all parts of the organization talk to the Atlanta company confidentially to provide a different viewpoint.

If I was going to investigate other occupations, it was going to be on my terms. Not because some whackjob CEO was trying to cover his behind as he lost control of his company. And you know what? I got the job. The good guys won. My friends stepped up for me bigtime, and I never forgot that. I promised myself that if I ever knew anyone else getting similarly screwed, I’d do everything in my power to help them. Everything. I’d return the favor when I had the opportunity.

A few weeks ago I had lunch with a friend, who told me a story eerily similar to mine. He got caught in the crossfire of a regime change and received the blackball treatment that happens when backchannel chatter is more important than demonstrable accomplishments. My blood was boiling. I knew what I had to do. So at RSA last week I looked for an opportunity to do it.

Thankfully one of my clients mentioned he was looking for the skill set my friend possessed. I jumped and put his name into the hat. I also mentioned his predicament and personally vouched for my guy. I called in a favor and asked my client to give him a chance. I don’t know if it’ll work out, but my guy is in the game and that’s all I asked.

And when my friend called yesterday to thank me, I smiled. It was a really big smile. Like some type of karmic balance returned to the world, if only for a few minutes. I smiled because I remember being in that spot. I remember how powerless I felt. How a control freak had no control. And I remember how relieved I felt when I learned those folks stepped up for me. But most of all, it felt really good to be able to keep that promise I made to myself all those years ago.

My friend asked what he could do for me. My answer was absolutely nothing. This wasn’t about me. It was about righting a wrong and doing the right thing. But I did tell him to pay it forward. Someday he’ll meet someone in the same position and he needs to help. And he will.


TIP A DRINK TO RICH: Let’s all congratulate Rich and his wife Sharon for the successful launch of their latest joint project. The latest addition to the team, Ryan Mogull, was born Sunday night. Rich will be taking some time with the family for the rest of the week, but should be back in the saddle soon. And yes, we are shopping for a Securosis onesie.

Photo credits: Switchbox karma originally uploaded by stuart anthony

Upcoming Cloud Security Training

Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading, UK, April 8-10. Sign up now.

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Email-based Threat Intelligence

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Give a security hobo a pair of shoes: Really great post by Bob Rudis about what he’s calling Security Hobos, the truly small businesses that really have no idea what they need to do. But we have an opportunity to make a difference, like the cop who gave the homeless guy in NYC a pair of boots. Bob points out that these are the kinds of business that put their POS software on the only machine in the business. And yes, that machine will get popped and it will be bad. But rather than just railing about how these folks create problems, Bob makes some actual suggestions for how to help. Do things like speak at your Chamber of Commerce and search out small businesses to offer advice. I talked about returning karmic balance above, and this is another great opportunity to do it. Don’t expect anything in return – do it because it’s the right thing to do. – MR
  2. Driving competition: Amazon Web Services (AWS) rolled out a monitoring tool called Trusted Advisor. It is positioned as a performance and security tool, leveraging the intelligence Amazon gathers to help customers tune their environments. Like traditional IT tools playing at security, it’s really operational metrics and tools masquerading as security features. It’s just the most basic of security efforts, but sometimes ‘good-enough’ is in fact good enough – which means small vendors need to worry. The Advisor is simple, available, convenient, and provides enough value that most customers won’t look for a third party solution. Small vendors will now race Amazon to differentiate their products, and likely branch out to support other cloud environments, positioning themselves as solutions for avoiding vendor lock-in and supporting heterogeneous environments. This is where cloud computing gets interesting, as the lines between tools and services blur, and security features increasingly becomes differentiators. – AL
  3. Indicators rock. But only if you know how to use them: David Bianco makes the point on his Enterprise Detection & Response blog that having the indicators (from a report such as Mandiant’s) is great, but most folks don’t actually know how to use them. So he presents a pyramid that starts with IP addresses and proceeds up through domain names, network/host artifacts, tools, tactics, techniques, and procedures. Each step up the pyramid means a smaller amount of data, which is harder to use. But the stuff at the top is ultimately more useful for pinpointing advanced attackers in your territory. We are very early in the march toward using threat intelligence to effectively detect attacks. But folks like David and Mandiant and others help document the process of mining your security data to look for these indicators. And we can all react faster and better with their help. – MR
  4. Waging the war for public opinion: Google has thrown heavy marketing wood behind their advancements in identity and user validation features, with numerous posts on their war against account hijackers and how to prevent identity theft. Coincidentally, Google is pushing 2-step verification when Adam Goodman is discussing how you can bypass Google’s 2-step verification. At the same time privacy advocates are grousing that the more Google security you turn on, the more personal information you expose to Google. They argue that these efforts don’t protect against identity theft – they actually protect Google assets. The reality is somewhere in between. These criticisms have merit, but it’s hard to fault Google’s efforts to prevent account compromise. SSL, stronger passwords, 2-factor auth, monitoring metadata, and monitoring the environment; all help verify users are who they say they are, and reduce attackers’ capability to leverage Google to spam, distribute malware, or commit fraud. Which is pretty much a win/win. But you know the haters are gonna hate. – AL
  5. How can I drink coffee and pontificate all day? I had a number of folks inquire about the industry analyst life last week at RSA. I am the first to admit that I live a charmed existence, and most days I cannot believe I actually do what I do and make a pretty good living. But I have been in the industry for 20+ years. As Hoff likes to say, any ass can get a blog and write stuff, but to get paid for it is another thing entirely. Check out this post from Nate Thayer talking about his experiences as a freelance writer. An independent analyst’s life isn’t much different in the beginning. You need visibility. And there is never a lack of folks who would be happy to profit from selling advertising around your words or photos. But, like most other gigs, some folks make it look easy. And everyone else starves. – MR